Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider performing sanity check on newly obtained certificates #240

Open
mholt opened this issue Jun 15, 2023 · 0 comments
Open

Consider performing sanity check on newly obtained certificates #240

mholt opened this issue Jun 15, 2023 · 0 comments
Labels
discussion Let's talk about it

Comments

@mholt
Copy link
Member

mholt commented Jun 15, 2023

Today's (relatively minor) Let's Encrypt incident (more info on HN - and on LE forums) makes me wonder if we should perform some checks on the certificates in case CAs have bugs that would cause browsers to reject the certs.

This function can probably get us a long way: https://pkg.go.dev/crypto/x509#Certificate.Verify - realizing that not all certificates trusted on the server will be trusted on clients.

This linter library can perhaps be helpful: https://pkg.go.dev/github.com/zmap/zlint#LintCertificate

In particular, today's incident involved invalid SCT signatures. Verifying this would probably involve calling out to some CT log. 😕

These kinds of bugs are very rare I think.

In fact, most CAs are/should be linting their certificates before issuing them... the reason today's incident wasn't caught was because this particular check does require an external resource.

So I dunno. I feel like it could be useful to have a mode (maybe optional? at least to start) that would vet all obtained certificates and, if the configured checks fail, move onto the next CA and get a certificate from that one instead.

Opening this issue for a discussion.

@mholt mholt added the discussion Let's talk about it label Jun 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
discussion Let's talk about it
Projects
None yet
Development

No branches or pull requests

1 participant